CA Mainframe Software Manager r3 - Error: An error occurred trying to connect to Support Online.

book

Article ID: 51015

calendar_today

Updated On:

Products

CA Compress Data Compression for MVS CA Compress Data Compression for Fujitsu CA Datacom CA Datacom - AD CA Mainframe Software Manager (Chorus Software Manager) CA MICS Resource Management CA CIS CA Common Services for z/OS CA 90s Services CA Database Management Solutions for DB2 for z/OS CA Common Product Services Component CA Common Services CA ecoMeter Server Component FOC CA Easytrieve Report Generator for Common Services CA Infocai Maintenance CA IPC Unicenter CA-JCLCheck Common Component CA Mainframe VM Product Manager CA Chorus Software Manager CA On Demand Portal CA Service Desk Manager - Unified Self Service CA PAM Client for Linux for zSeries CA Mainframe Connector for Linux on System z CA Graphical Management Interface CA Web Administrator for Top Secret CA CA- Xpertware CA Datacom/AD

Issue/Introduction

Description:

Under certain environments it is possible to experience the following problem in the CA Mainframe Software Manager UI when attempting an action from the Software Catalog that tries to access CA Support Online (CA SO).

 
 Error: An error occured trying to connect to CA Support Online.
 java.net.SocketException: java.security.NoSuchAlgorithmException: SSLContext
 Default implementation not found:

When viewing the CA Mainframe Software Manager tomcat log you will see a message like:

DEBUG .....  (ConsumeSC.java:106): IO Error was detected during PAS processing. ... 
java.security. NoSuchAlgorithmException: SSLContext Default implementation not found:

Solution:

This error is related to the java runtime security for SSL connections.

In the CA Mainframe Software Manager runtime data set SAMPLIB(MSMLIB), note the USS path specified for "export JAVA_HOME=".
Using this as the parent directory, locate the lib/security subdiretory in USS. There is a java.security file with a section header "List of providers and their preference orders (see above).". This section should closely resemble these entries:

 
security.provider.1=com.ibm.jsse2.IBMJSSEProvider2
security.provider.2=com.ibm.crypto.provider.IBMJCE
security.provider.3=com.ibm.security.jgss.IBMJGSSProvider
security.provider.4=com.ibm.security.cert.IBMCertPath
security.provider.5=com.ibm.security.sasl.IBMSASL
security.provider.6=com.ibm.xml.crypto.IBMXMLCryptoProvider
security.provider.7=com.ibm.xml.enc.IBMXMLEncProvider
security.provider.8=org.apache.harmony.security.provider.PolicyProvider
security.provider.9=com.ibm.security.jgss.mech.spnego.IBMSPNEGO

If you notice an entry that is similar to the following: 

security.provider.1=com.ibm.crypto.hdwrCCA.provider.IBMJCECCA
then you may have implemented a hardware ICSF keystore as the default keystore for the java runtime.

If you want to determine if this is the case, edit the MSMLIB member to add an option which dumps keystore information:

-Djavax.net.debug=true

After restarting the CA Mainframe Software Manager Tomcat server, look for an output line like:

keyStore type is: jks

"jks" is the default keystore with which CA Mainframe Software Manager will successfully establish http SSL connections.

If you see a keyStore.type=jceccaks, that is indicative of a hardware ICSF keystore and most likely the root cause of the exception logged in CA Mainframe Software Manager.

The jceccaks keystore type may have been implemented with IBM EKM tape encryption.

To change the default keyStore back to "jks", please consult your z/OS system programmer.

Additional references:

 ftp://public.dhe.ibm.com/s390/java/jsse/JSSEzOSRefGuide.html
 http://www-03.ibm.com/systems/z/os/zos/tools/java/faq/javasecurityfaq.html
 http://www.redbooks.ibm.com/redbooks/pdfs/sg247610.pdf

Environment

Release:
Component: MSM
Powered by Wolken Software